IT security has never been more of a hot button topic than it is today. Increasingly, the focus is on the security of the Internet of Things (IoT) and the embedded systems that support these devices.
And so far, the traditional enterprise security architectures and procedures are failing to protect these systems from being compromised. The evidence is trumpeted in the headlines documenting successful compromises, emerging breach patterns, and the exploding volume of vulnerability advisories.
At the same, the number of vulnerabilities being detected and reported in systems of all types is skyrocketing. The National Vulnerability Database reported 14,000 Common Vulnerabilities and Exposures (CVEs) in 2017, more than double the previous year’s total.
A heightened attack environment with an escalating vulnerability count means that it falls to the makers of device hardware and software to build out the strongest possible security posture for their devices.
If you develop and maintain a Board Support Package (BSP) for an embedded open source system in an IoT device, how do ensure your BSP complies with the target security posture? For that matter, what is a security posture and how do you formulate the requirements for supporting one?
Understanding the Security Posture
The National Institute of Standards and Technology defines a “security posture” as the status of an enterprise’s networks, information and systems to defend the enterprise in an information assurance context. How do the hardware, software, people, and processes work together to prevent the compromise of information or the systems processing, transporting, or storing it?
In practice, an effective security posture is one that adequately protects the confidentiality, integrity, and availability of the information and systems required to meet the company’s operational goals.
That’s still very general, so what’s the implication for your BSP? It means you need to evaluate the security posture of the device it will support as well as its expected deployment mode and application. In a future blog post, we’ll explore implications for designing more secure embedded systems, such as embedded Linux hardening and steps for minimizing the attack surface.
For maintaining strong security for a BSP once it has been released, the key lies in being able to respond rapidly and efficiently when vulnerabilities and patches affecting your BSP are identified.
The ‘Vulnerability Storm’
The thousands of CVEs reported each year in the National Vulnerability Database cover a lot of territory. Thousands of products ranging from network devices to applications and everything in between have been affected by reported CVEs in the last two decades.
Maintaining the security posture of your BSP and its supported device means cutting through the “vulnerability storm” and focusing on only what matters. It requires you to sift through these thousands of vulnerabilities, to pinpoint which ones apply to your device and its production deployment circumstances, assess the severity and risk, locate or create a mitigating patch or update, test it, and then deliver the appropriate fix to the device.
That’s not a simple process. And the clock is ticking. The longer a vulnerability is exposed and a system is unpatched, the greater the chance an attacker will launch an exploit for it.
In the world of IoT, such attacks can have major consequences, from taking down an operationally critical manufacturing process, to affecting the wellbeing of a patient, to knocking out safeguards in a transportation system.
BSP Lifecycle Maintenance
Here at Timesys, we have been working for years with companies bringing products to market with stronger embedded system security.
We streamline Linux BSP development with our intuitive build environments, Yocto Project Café and Timesys Factory, which can significantly cut the cost and time-to-market of your BSP project.
In fact, the Security Vulnerability and Patch Notification Service, part of our TRST offering, will streamline the entire process of monitoring, analyzing and responding to vulnerabilities for better embedded Linux security.
Specifically for developers of BSPs, our BSP Lifecycle Maintenance solution relieves your team of the burden of constant CVE monitoring to evaluate the impact of reported open source software vulnerabilities. Our service can streamline and simplify every step of the process, from vulnerability identification and assessment to patch integration and testing.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.